search

mozilla / bleach

Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes
https://bleach.readthedocs.io/en/latest/
Other
2.65k stars 253 forks source link

bug: Build to Upgrade bleach to 3.3.0 is failing due to django-incident-response 0.5.1 depends on bleach 3.1.4 #630

Closed aquinoelite closed 2 years ago

aquinoelite commented 2 years ago

Describe the bug Build failed due to "django-incident-response 0.5.1 depends on bleach 3.1.4" The latest version of bleach is 4.1.0 Snyk detects a vulnerability issue on bleach - Cross-site Scripting(XSS)

However, the heroku build/deploy is failing because django-incident-response 0.5.1 is not accepting the latest version of bleach (3.3.0 or 4.1.0)

My Platform Heroku deployment Django 2.2.26

Additional context https://pypi.org/project/django-incident-response/ https://pypi.org/search/?q=bleach

willkg commented 2 years ago

If I understand this issue correctly, there's nothing we can do in the Bleach project to help you with your issue. You'll need django-incident-response to update what versions of Bleach django-incident-response works with.

You wrote up https://github.com/monzo/response/issues/257 to cover that.

I think they need to change this line: https://github.com/monzo/response/blob/master/setup.py#L10

Hope that helps!